Lucene search

PRIOn knowledge basePRION:CVE-2015-3224

HistoryJul 26, 2015 - 10:59 p.m.

Cross site request forgery (csrf)

2015-07-2622:59:00

PRIOn knowledge base

www.prio-n.com

6.9 Medium

AI Score

Confidence

Low

0.929 High

EPSS

Percentile

99.0%

JSON

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client’s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

CPENameOperatorVersion
web_consolele2.1.2

CPE	Name	Operator	Version
	web_console	le	2.1.2

References

openwall.com/lists/oss-security/2015/06/16/18

www.securityfocus.com/bid/75237

github.com/rails/web-console/blob/master/CHANGELOG.markdown

groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ

lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html